/** * @NoAdminRequired * @UseSession * * @param string $oldPassword * @param string $newPassword * @return DataResponse */ public function updatePrivateKeyPassword($oldPassword, $newPassword) { $result = false; $uid = $this->userSession->getUser()->getUID(); $errorMessage = $this->l->t('Could not update the private key password.'); //check if password is correct $passwordCorrect = $this->userManager->checkPassword($uid, $newPassword); if ($passwordCorrect !== false) { $encryptedKey = $this->keyManager->getPrivateKey($uid); $decryptedKey = $this->crypt->decryptPrivateKey($encryptedKey, $oldPassword); if ($decryptedKey) { $encryptedKey = $this->crypt->symmetricEncryptFileContent($decryptedKey, $newPassword); $header = $this->crypt->generateHeader(); if ($encryptedKey) { $this->keyManager->setPrivateKey($uid, $header . $encryptedKey); $this->session->setPrivateKey($decryptedKey); $result = true; } } else { $errorMessage = $this->l->t('The old password was not correct, please try again.'); } } else { $errorMessage = $this->l->t('The current log-in password was not correct, please try again.'); } if ($result === true) { $this->session->setStatus(Session::INIT_SUCCESSFUL); return new DataResponse(['message' => (string) $this->l->t('Private key password successfully updated.')]); } else { return new DataResponse(['message' => (string) $errorMessage], Http::STATUS_BAD_REQUEST); } }
/** * @param IToken $dbToken * @param string $token * @return boolean */ private function checkTokenCredentials(IToken $dbToken, $token) { // Check whether login credentials are still valid and the user was not disabled // This check is performed each 5 minutes $lastCheck = $dbToken->getLastCheck() ?: 0; $now = $this->timeFacory->getTime(); if ($lastCheck > $now - 60 * 5) { // Checked performed recently, nothing to do now return true; } try { $pwd = $this->tokenProvider->getPassword($dbToken, $token); } catch (InvalidTokenException $ex) { // An invalid token password was used -> log user out return false; } catch (PasswordlessTokenException $ex) { // Token has no password if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) { $this->tokenProvider->invalidateToken($token); return false; } $dbToken->setLastCheck($now); $this->tokenProvider->updateToken($dbToken); return true; } if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false || !is_null($this->activeUser) && !$this->activeUser->isEnabled()) { $this->tokenProvider->invalidateToken($token); // Password has changed or user was disabled -> log user out return false; } $dbToken->setLastCheck($now); $this->tokenProvider->updateToken($dbToken); return true; }
public function testAddUser() { $this->resetParams(); $_POST['userid'] = $this->getUniqueID(); $_POST['password'] = '******'; $result = $this->api->addUser(); $this->assertInstanceOf('OC_OCS_Result', $result); $this->assertTrue($result->succeeded()); $this->assertTrue($this->userManager->userExists($_POST['userid'])); $this->assertEquals($_POST['userid'], $this->userManager->checkPassword($_POST['userid'], $_POST['password'])->getUID()); $this->users[] = $this->userManager->get($_POST['userid']); }
/** * try to log in with the provided credentials * * @param string $uid * @param string $password * @return boolean|null * @throws LoginException */ public function login($uid, $password) { $this->session->regenerateId(); if ($this->validateToken($password)) { $user = $this->getUser(); // When logging in with token, the password must be decrypted first before passing to login hook try { $token = $this->tokenProvider->getToken($password); try { $password = $this->tokenProvider->getPassword($token, $password); $this->manager->emit('\\OC\\User', 'preLogin', array($uid, $password)); } catch (PasswordlessTokenException $ex) { $this->manager->emit('\\OC\\User', 'preLogin', array($uid, '')); } } catch (InvalidTokenException $ex) { // Invalid token, nothing to do } } else { $this->manager->emit('\\OC\\User', 'preLogin', array($uid, $password)); $user = $this->manager->checkPassword($uid, $password); } if ($user !== false) { if (!is_null($user)) { if ($user->isEnabled()) { $this->setUser($user); $this->setLoginName($uid); $this->manager->emit('\\OC\\User', 'postLogin', array($user, $password)); if ($this->isLoggedIn()) { $this->prepareUserLogin(); return true; } else { // injecting l10n does not work - there is a circular dependency between session and \OCP\L10N\IFactory $message = \OC::$server->getL10N('lib')->t('Login canceled by app'); throw new LoginException($message); } } else { // injecting l10n does not work - there is a circular dependency between session and \OCP\L10N\IFactory $message = \OC::$server->getL10N('lib')->t('User disabled'); throw new LoginException($message); } } } return false; }
/** * @PublicPage * @UseSession * * @param string $user * @param string $password * @param string $redirect_url * @return RedirectResponse */ public function tryLogin($user, $password, $redirect_url) { $originalUser = $user; // TODO: Add all the insane error handling /* @var $loginResult IUser */ $loginResult = $this->userManager->checkPassword($user, $password); if ($loginResult === false) { $users = $this->userManager->getByEmail($user); // we only allow login by email if unique if (count($users) === 1) { $user = $users[0]->getUID(); $loginResult = $this->userManager->checkPassword($user, $password); } } if ($loginResult === false) { $this->session->set('loginMessages', [['invalidpassword']]); // Read current user and append if possible - we need to return the unmodified user otherwise we will leak the login name $args = !is_null($user) ? ['user' => $originalUser] : []; return new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args)); } // TODO: remove password checks from above and let the user session handle failures // requires https://github.com/owncloud/core/pull/24616 $this->userSession->login($user, $password); $this->userSession->createSessionToken($this->request, $loginResult->getUID(), $user, $password); if ($this->twoFactorManager->isTwoFactorAuthenticated($loginResult)) { $this->twoFactorManager->prepareTwoFactorLogin($loginResult); if (!is_null($redirect_url)) { return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge', ['redirect_url' => $redirect_url])); } return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge')); } if (!is_null($redirect_url) && $this->userSession->isLoggedIn()) { $location = $this->urlGenerator->getAbsoluteURL(urldecode($redirect_url)); // Deny the redirect if the URL contains a @ // This prevents unvalidated redirects like ?redirect_url=:user@domain.com if (strpos($location, '@') === false) { return new RedirectResponse($location); } } return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index')); }
/** * @NoAdminRequired * @UseSession * * @param string $oldPassword * @param string $newPassword * @return DataResponse */ public function updatePrivateKeyPassword($oldPassword, $newPassword) { $result = false; $uid = $this->userSession->getUser()->getUID(); $errorMessage = $this->l->t('Could not update the private key password.'); //check if password is correct $passwordCorrect = $this->userManager->checkPassword($uid, $newPassword); if ($passwordCorrect === false) { // if check with uid fails we need to check the password with the login name // e.g. in the ldap case. For local user we need to check the password with // the uid because in this case the login name is case insensitive $loginName = $this->ocSession->get('loginname'); $passwordCorrect = $this->userManager->checkPassword($loginName, $newPassword); } if ($passwordCorrect !== false) { $encryptedKey = $this->keyManager->getPrivateKey($uid); $decryptedKey = $this->crypt->decryptPrivateKey($encryptedKey, $oldPassword, $uid); if ($decryptedKey) { $encryptedKey = $this->crypt->encryptPrivateKey($decryptedKey, $newPassword, $uid); $header = $this->crypt->generateHeader(); if ($encryptedKey) { $this->keyManager->setPrivateKey($uid, $header . $encryptedKey); $this->session->setPrivateKey($decryptedKey); $result = true; } } else { $errorMessage = $this->l->t('The old password was not correct, please try again.'); } } else { $errorMessage = $this->l->t('The current log-in password was not correct, please try again.'); } if ($result === true) { $this->session->setStatus(Session::INIT_SUCCESSFUL); return new DataResponse(['message' => (string) $this->l->t('Private key password successfully updated.')]); } else { return new DataResponse(['message' => (string) $errorMessage], Http::STATUS_BAD_REQUEST); } }